Threat Intelligence

10/21/2016
01:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

NSA Contractor Over 20 Years Stole More Than 50 Terabytes Of Gov't Data

Harold Martin, now in custody, is a risk to himself and others if freed from custody, a US prosecutor warns in a detailed filing in the case.

When law enforcement officials stumbled upon a cache of firearms while executing a search warrant on the premises of Harold Martin, the National Security Agency (NSA) contractor recently arrested for stealing classified information, his very distraught wife asked for the weapons to be removed from her home.

She was afraid that he would use them to kill himself if he "thought it was all over," US Attorney Rod Rosenstein said in a pretrial motion that paints a troubling if somewhat incomplete picture of the man behind what could arguably be the biggest-ever case of insider theft.

Rosenstein's motion, filed in the US District Court for the District of Maryland this week, urges the court not to release Martin from pretrial custody. It uses his wife's concerns of self-inflicted harm and a litany of other reasons as a basis for the request.

The 12-page legal brief alleges that in the 20 years between 1996 and 2016 that Martin worked with government, he stole a staggering 50 terabytes of data in digital form and an additional six banker's boxes full of printed documents.

It is unclear why Martin’s alleged theft of classified as well as unclassified data over such an extended period of time was never spotted. The apparent fact that he was able to continue illegally accessing data even after Snowden's data theft prompted a government-wide security overhaul, also is sure to raise new alarms about the effectiveness of that overhaul.

A lot of the data he allegedly stole was marked Secret or Top Secret and at least some of it is what the government considers as information of national defense and national security import.

For instance, one of the classified documents allegedly in Martin's possession was marked "Top Secret/Sensitive Compartmented Information" ("TS/SCI") and pertained to specific operational plans against a known US enemy, Rosenstein said. Martin's cache of stolen data is also believed to have included information on top-secret hacking tools developed by US intelligence agencies, the New York Times reported this week, citing unnamed sources.

The staggering volume of data that was allegedly found in Martin's possession would appear to make his theft even bigger than Edward Snowden's heist.

"The Defendant was in possession of an astonishing quantity of marked classified documents which he was not entitled to possess," Rosestein noted in somewhat of an understatement. "Many of the marked documents were lying openly in his home office or stored in the backseat and trunk of his vehicle."

Martin regularly carried highly sensitive data in his vehicle and routinely parked it in his driveway because he didn’t have an enclosed garage, the filing revealed.

Even the 50,000 gigabytes of digital information that he is believed to have stolen could be a conservative estimate, Rosenstein’s legal brief said, noting that each gigabyte offers enough space for storing 10,000 pages of text and images.

The legal document shows that Martin's alleged illegal behavior began in 1996 when he abused his access to classified information while serving in the US Naval Reserves. Between then and his arrest on August 27, Martin worked at several government agencies including the National Security Agency, as an employee for seven different private contractors.

With his security clearance, Martin worked on highly classified and specialized projects and signed numerous non-disclosure agreements acknowledging the sensitive nature of his work and his commitment not to abuse his access to sensitive data.

"The Defendant's decades of criminal behavior were in flagrant violation of his many promises and oaths, as well as the law," Rosenstein said.

The motion called attention to Martin's enrollment in a Ph.D program in information security at the time of his arrest, and of his several advanced degrees and expertise in areas like encryption, anonymization, and secure-communication. Such skills would make it easy for Martin to access and transmit information to others that he may have stored online, Rosenstein said in arguing against Martin's release from custody.

"As a trusted insider, the Defendant was able to defeat myriad, expensive controls placed on that information," and he has the skill to transfer all of the stolen information electronically and make it available to others if he was given access to the Internet, the prosecuting attorney noted.

The motion does not make clear what Martin's motives might have been. But it makes clear that there's enough evidence to suggest that Martin either illegally shared or planned to share the data with others.

For example, the 10 firearms recovered from his home included an "AR-style tactical rifle and a pistol-grip shotgun with a flash suppressor."

In addition, he had a loaded handgun in his car in violation of state law. If Martin had stolen it for his own edification as claimed, there would have been little reason to "arm himself as though he ere trafficking in dangerous contraband," Rosenstein argued.

Similarly, a printed email chain marked "Top Secret" recovered from Martin's car had handwritten notes on the back of the document describing classified technical operations and appear intended "for an audience outside of the Intelligence Community."

'Prime Target'

The extensive publicity the case has received guarantees that every foreign counterintelligence agency knows Martin has access to highly sensitive data either hidden in physical locations, cyberspace, or stored in his head, the filing said.

"This makes the Defendant a prime target, and his release would seriously endanger the safety of the country and potentially even the Defendant himself," Rosenstein said.

Related stories

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Secure Wifi Hijacked by KRACK Vulns in WPA2
Jai Vijayan, Freelance writer,  10/16/2017
Game Change: Meet the Mach37 Fall Startups
Ericka Chickowski, Contributing Writer, Dark Reading,  10/18/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.